--- title: "GPG Best Practices (and Git)" date: 2019-02-17 lastmod: 2019-02-17 categories: ["Blog"] tags: ["linux"] --- I decided to start signing my Git commits for personal, and work Git repositories. Currently, most Git third-party services only support signing commits, but _do not_ support signing pushes. Regardless, it would still be considered good Currently, most Git third-party services only support **signing commits**, but _do not_ support signing pushes. Regardless, it would still be considered good practice to start signing commits. practice to start signing commits. That being said, I've added my public key to my [GitLab](https://gitlab.com/bdebyl), and set the global config to use my key, and sign all of my commits: ```bash git config --global user.signingKey ADAA54FC git config --global commit.gpgSign true ``` _Note: I am using git version `2.20.1` in the above example._ # Getting Started with OpenPGP It is recommended to read through the [Getting Started](https://www.gnupg.org/gph/en/manual/c14.html) on the official GnuPG website. However, I would **strongly** recommend using the `--full-gen-key` option in place of the `--gen-key`. This will allow you to specify additional details about your key, such as using a 4096-bit RSA key. # OpenPGP Keyserver Pool In addition to that, there came the addition of using the [SKS Keyserver Pool](https://sks-keyservers.net/overview-of-pools.php) for sending and receiving keys for OpenPGP. This can be done by obtaining the CA and verifying the signature on the [HKPS Pool Verification](https://sks-keyservers.net/verify_tls.php) page. ## Verification ``` gpg --auto-key-retrieve --verify sks-keyservers.netCA.pem.asc sks-keyservers.netCA.pem ``` The output received was as follows: ``` gpg: Signature made Wed 30 Mar 2016 11:06:29 AM EDT gpg: using RSA key 250B7AFED6379D85 gpg: key 0B7F8B60E3EDFAE3: 1214 signatures not checked due to missing keys gpg: key 0B7F8B60E3EDFAE3: public key "Kristian Fiskerstrand " imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Kristian Fiskerstrand " [unknown] gpg: aka "Kristian Fiskerstrand " [unknown] gpg: aka "Kristian Fiskerstrand " [unknown] gpg: aka "Kristian Fiskerstrand " [unknown] gpg: Note: This key has expired! Primary key fingerprint: 94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Subkey fingerprint: B4EA D120 C7F8 9A4A EA47 2707 250B 7AFE D637 9D85 ``` ## Adding the HKPS Pool CA Once the signature has been verified, the CA can be moved over to `/usr/share/ca-certificates` to add to your CA certificates via `sudo update-ca-trust` (_Arch_) or `sudo update-ca-certificates` (_Debian/Ubuntu_). Lastly, the following parameters should be added to your `~/.gnupg/gpg.conf`: ``` keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem ``` {{% admonition info "CA Path" %}} On my setup, the full path to the CA certs is: `/etc/ca-certificates/extracted/cadir/sks-keyservers.net_CA.pem` {{% /admonition %}} ## *Optional* - Ensure keys refreshed through keyserver To ensure no keys are pulled from insecure sources, or that an attacked would not be able to designate a keyserver they control, it is recommended to add the following additional parameter to the above `gpg.conf` file: ``` keyserver-options no-honor-keyserver-url ``` --- # More Information There is a whole load of information on [OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices). A few noteworthy points worth exploring: - **Keep an encrypted backup of your secret key** - Have a separate subkey for signing - Keep your primary key entirely offline